[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem with encrypted assertions



Hi Sampo,

   I've upgraded to 0.63, as it notes additional Shibboleth compatibility,
but this make no change for this issue.

To reproduce:
   1. Install zxid 0.63; let it generate it's own encryption key pairs
   2. Use zxidcot to install metadata for testshib.org
   3. Initiate authentication request to testshig.org

I've independently verified the same issue exists with an educational
Shibboleth 2 IdP provider.  Currently, my only working solution is to
intercept SAML requests, decode (unbase64/unzip), decrypt (xmlsec1), and
re-encode manually (recalculating digests, as appropriate).  This is not an
ideal solution.

I suspect the issue is probably a simple one (perhaps zxid is
mis-identifying the encryption algo, or loading an incomplete encrypted
string from the XML?).  Nothing obvious issues jumped out at me yet when I
was stepping through with gdb.

   Do you have any insight into what may be the problem?

Regards,
Eric

On Mon, Aug 23, 2010 at 9:02 PM, Eric Rybski <rybskej@xxxxxxxxx> wrote:

> Hi Christian,
>
>    I've started integrating with a SAML Shibboleth IdP (testshib.org)
> which encrypts assertions, and am getting what looks to be the same error as
> you encountered:
>
> t    zxsig.c:319 zx_report_openssl_error zx E EVP_CipherFinal_ex():
> OpenSSL error(101077092) error:06065064:digital envelope
> routines:EVP_DecryptFinal_ex:bad decrypt (evp_enc.c:337): ? 0
>
> This is with zxid 0.62 and openssl 0.9.8o.  Also tried with openssl 0.9.7m.
>  I'm getting the same result with my own certs as well as allowing zxid to
> generate keys/certs.
>
>    I was able to decrypt the message with xmlsec1, built with the same
> openssl versions and compiler.  So this leads me to believe that there may
> be an issue inside zxid, with data being passed to
> openssl EVP_CipherFinal_ex().
>
> Did you ever identify a solution for this?
>
> Regards,
> Eric
>
> On Wed, Jan 20, 2010 at 10:03 AM, Christian Borup <borup@xxxxxxxx> wrote:
>
>> Hi all
>>
>> I'm not having any luck authenticating via a IdP that returns encrypted
>> assertions.
>>
>> Calling Net::SAML::simple_cf with the querry string the following is
>> printed to stderr and exit seems to be called.
>>
>> t    zxsig.c:318 zx_report_openssl_error        zx E EVP_CipherFinal_ex():
>> OpenSSL error(101077092) error:06065064:digital envelope
>> routines:EVP_DecryptFinal:bad decrypt (evp_enc.c:445): ? 0
>>
>> If I save the SAMLResponse the file xmlsec1 will decrypt it just fine
>> (after base64 decode, obviously). Using the command line:
>>  xmlsec1 --decrypt --privkey-pem /var/zxid/pem/enc-nopw-cert.pem
>> SAMLResponse.xml
>>
>> xmlsec1 and zxid are both compiled with the same OpenSSL.
>>
>> Clues anyone?